From vivek@etla.org Sun Jun 12 00:20:23 2005 Date: Sun, 12 Jun 2005 00:20:23 +0100 (BST) From: Vivek Dasmohapatra To: Tom Yates Subject: possible proxy_arp problem : question about configuration Hi Tom - If you don't mind me picking your brains: I have a 3 legged firewall setup that looks like this: DMZ-[ xx.xx.xx.64/26 ][eth2 eth1][ xx.xx.xx.0/26 ]-xx.xx.xx.1(isp router) \ / | \ eth0 / | ~~~~~~~ there's actually a [10.100/16] hub/switch here, for various reasons eth2: xx.xx.xx.65 eth1: xx.xx.xx.2 now the isp router thinks the network is actually xx.xx.xx.0/25, so the firewall is proxy-arping for the machines in the DMZ so that the isp router will talk to the right box (ie the firewall) This setup works in kernel 2.4 However in 2.6 (8 and 11) it does not. packets get forwarded from eth2 to eth1, and they turn up on the wire at eth1 (both outgoing and return packets are seen by tcpdump) but the incoming packets on eth1 for the .64 network are never seen by netfilter, not even in the raw table's PREROUTING chain. This smells to me like a proxy arp problem to me. /proc/sys/net/ipv4/ip_forward is 1 I've turned on /proc/sys/net/ipv4/conf/eth{1,2}/proxy_arp (1), but this doesn't seem to help. Any pointers here? Am I missing something obvious? Have I misunderstood how the setup works on my kernel 2.4 firewall? Is it something other than proxy arp? Any help gratefully received... -- Vivek